All those Passwords

- I hate all those passwords that I need to remember. It’s really annoying. And every time I forget one of them I have to go to fill out one of these forms and wait for them to give me a new one.

These words could be taken from numerous of my presentations, but this time I’m innocent. Instead, I have just finished my training session at the gym and happens to tap into a conversation between young students at the local University. I’m becoming fascinated with this discussion to the extent that I’m now taking extra long time to tie my shoes.

I’m fascinated because this discussion is taking place almost on the spot five years after I was listening to Bill Gates at the RSA conference in San Francisco predicting the demise of traditional passwords. And since then very little has changed.

"There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure." Said Bill Gates in 2004.

This conversation also takes place fifteen years after the Swedish “Allterminal” procurement, which lead to deployment of a SmartCard and PKI based information security solution for the Swedish Police and the Swedish Tax board which effectively eliminated the use of passwords for many of their IT applications. So why are we still using passwords?

There seems to be some major reasons for this paradox:

Passwords can be remembered and processed by a human. Other security tokens have to be stored in some form and used with a device with mathematical processing power that exceeds that of a human person. We totally underestimated how hard it is to provide humans with this capability and to make sure it is never lost, forgotten or breaks, always follows its owner around and interfaces to all his/her computers.

We made solutions too complex and required them to be extremely secure to the degree where the cost of implementing them was exceeding their benefit

We totally underestimated the complexity of user identities when creating standards for universal tokens. What is an acceptable user identity to one system is not acceptable to another

We underestimated the Integrity aspects of having common security credentials for a wide range of IT systems

We have created very clever standards that could be used to solve all these issues, but the problem and its solution has grown so complex that it no longer can be printed on a T-shirt. This means that 95% of the potential audience will not have the energy to listen and understand the challenge.

What makes me hopeful is just those young students who simply can’t understand, nor accept our failure to fix their problem. So if we can’t step up to the challenge, then I feel sure that somehow they will.